Archive

Hype, opportunists, and bad ideas are getting the spotlight after the massive breach of Sony Pictures. Most of us observers are sitting back and enjoying the schadenfreude of it all. For the general population that’s an understandable reaction; for those of us in the Information Security community it’s shameful.

Rather than take proactive, positive steps, we have sat on Twitter and watched as Sony and the Government have clumsily fumbled the situation. We often think we know what’s best, yet when our expertise would be most useful, most of us lurk in the background, sniggering to each other in our smug superiority.

In abdicating our role as ambassadors of technical literacy, we allow the story to be shaped by others. Often, those who run into the spotlight during these types of events are not experts or advocates for rational approaches, but opportunists promoting a specific agenda. The absence of a voice of reason from our community leaves a deafening silence. But don’t worry, we’ll fill that void with complaints once a solution has been enacted and we see that it won’t work.

Instead, the information security community should be engaging in the media and geopolitical discussions, injecting real solutions to solving systemic issues. We should be raising questions and bringing to light topics such as

Opportunism and fear mongering by politicians and our own industry.

Vandalism portrayed as terrorism.

The inadequacy of traditional investigative methods in cybercrime.

Statements, statistics, accusations, and claims made without supporting evidence, references, or credibility that go unchallenged.

Pre-determined attribution in hacking and geopolitics.

A geopolitical reaction to issues stemming from poor corporate oversight.

The hypocrisy of calling an attack on a film studio terrorism, while admitting to attacking military and government networks (hat tip to Jericho).

The information security industry taking $75B per year (according to Gartner) from the global economy without reduction in frequency or severity of information security incidents.

There isn’t one way to engage in the discussion, or to bring these issues (or others – and there are many others) out. However, there is a single way to fail at doing it, and that’s to fail to try. We, in the information security community, could have a great deal of influence if we chose to. When the world is powered by computers and software, those who know how to control those technologies have great power. But with great power comes great responsibility. Use it. Wisely.

UPDATE: @MarnixDekker points out that these are not really technology issues. But I counter that’s exactly the point. Why do we build technology of not to solve societal and human scale issues? If we are creating technology to its own end, others will use it as their means. We have seen where that leads, and it’s not a mistake we should be eager to make, nor naive enough to think won’t happen.

Are sloppy security controls actually beneficial to a company during a breach? This is an elephant in the room for Incident Response after a potential breach. If there is no way to definitively show that data was or was not breached, does the company have to report the issue? If you’re an Incident Responder you’ve likely seen the scenario play out a number of times.

A retail merchant, Genesco is suing Visa over fines from a security breach. The claim is that Visa improperly imposes penalties that are legally unenforceable and in violation of contracts. Genesco had a security breach, but claims that there’s no positive evidence that any credit card data was breached. Here’s Genesco’s logic, from what I can tell:

Our server reboots. A lot. So often that no credit card numbers were ever in the log files.

We don’t have Network Security Monitoring that could say whether the credit card numbers were exfiltrated.

We can prove that some of the card numbers Visa said were breached couldn’t have been. No details provided.

This is the Schrodinger’s Cat of information security. In the lack of good evidence either way, a breach both has and has not occurred. In the vacuum of that ambiguous information, whether or not the data has been breached is as much a question of philosophy as physics…or Incident Response. So poor security monitoring actually help companies by giving them options on whether to declare a breach or not. This is an interesting cocktail party discussion topic for your next Infosec meeting and can make for some great conversations.

But the lawsuit probably won’t be decided on the technical security details of the case. The lawsuit seems to be more about how and when Visa can assess fines and penalties. There may be some technical talk during the proceedings, but it’s doubtful that a court would open its judgement up to questioning by letting the decision rest on what is sure to be conflicting testimony by each side’s experts.

Still, this will be interesting to watch as it has a lot to do with implementation of Payment Card Industry security standards. Genesco seems to be saying that they were compliant with the PCI-DSS at the time of the breach. That’s a frequent claim after breaches, but that status is often revoked after the fact by the card brands. And that’s bound to bring out heated discussions around the Infosec community and potentially in the courtroom.

The KT breach may have taken 7 months to execute, though it is not clear whether this indicates how long the attackers had access to KT networks. The breach was said to have been detected by internal security systems in mid-July. In a statement by Korea Telecom, they say that the information has been “returned” and that there should be no further damage; however the Korean Telecom Commission has said that they can’t be 100% certain of that. KT has not said whether the information leaked includes financial information such as credit card numbers or bank accounts, but given the extensive list of items that were leaked it is likely that this information was at least accessible to the attackers. The information the company admits was leaked includes the following.

The attackers, as well as buyers of the illegal information have been arrested. Based on early reports it appears that the attackers had help from an insider to bypass security systems and gain information on Korea Telecom’s internal systems. The attackers are reported to have claimed they attacked KT because KT has the highest profits, though it’s not clear whether there was a political motivation as well as financial for the attacks.

Korea has experienced many high profile breaches over the last 5 years. Most Koreans have likely been affected by many of these personal information compromises. All told, the number of records breached exceed the number of citizens of the country by a wide margin. What’s unclear is whether the actual number and severity of breaches has increased or whether they’ve gotten more attention. But the rate of breaches seems to have increased. Here is a brief list of several high profile breaches since 2008:

Legal remedies for individuals harmed have been tough to come by. A court case against Auction Korea, for example, was unsuccessful because judge decided that the plaintiffs had failed to demonstrate causality. That is, they couldn’t show that the defendant had caused the breach, nor could they show that poor security was chiefly responsible for it. Therefore Auction Korea was not deemed liable for the associated damages. At the time it was not possible to sue for negligence under Korean law.

The Korea Telecom breach is the first one since the Personal Information Protection Act (PIPA) came into effect in 2012 in Korea. (Note that this is not related to the US Protect IP Act.) The Korean PIPA law is described as a “comprehensive personal data protection law,” which restricts collection of personal information and specifies handling precautions must be in place to prevent breaches. And in a reversal of the provision that has prevented successful legal actions, PIPA allows the plaintiffs to sue for negligence. This tactic puts the burden of proof on the company that suffered the breach to demonstrate that their measures were compliant with PIPA.

If a case is brought against Korea Telecom under PIPA, the result will set a precedent in the Korean legal system. But that case may not be hard to prove. A Korean lawyer is quoted as saying “As the results of the investigation haven’t been announced, it is hard to make a provisional conclusion. But that fact that the criminals who leaked KT personal information prepared their hacking program for 7 months and it was hardly detectable as they leaked samll amount of information. For now, there still a possiblility that KT can claim that they upheld their duty of technical protective action well.”

Privacy rights proponents should carefully weigh the benefits of taking this case to court. On the one hand, they should seek justice on the part of the wronged and consequences on the part of the breached. On the other, if they fail to make a strong case the precedent set may set privacy rights back. Either way, this will be a case to look for if it appears on the dockett.

DISCLAIMER: Stratigos Security is not offering a legal opinion, nor has this article been written by a lawyer. Although we did use the services of a Korean translator for much of the research and fact checking, there may still be errors due to the language barrier. We ask that you take our words with a grain of salt and independently verify important facts. That’s just good journalistic practice. We did the best we could, but you shouldn’t believe it just because it’s on the Internet. That’s just plain common sense.